HIV
HIV is a dangerous per-process memory resident Win32 virus infecting PE EXE files (Windows applications) and MSI archives, “upgrading” itself from the Internet, and possessing E-mail spreading abilities. Behavior To infect *.EXE files, the virus looks for them in the current directory, and writes itself to the file end. To get control, the virus does not modify the program start up address, but instead looks for standard program subroutines header/footer and patches a footer with a JMP_Virus instruction. As a result, the virus cannot activate at the moment an infected file is being run, but rather when an infected routine is executed (when the corresponding branch gets control). The virus then stays in the memory as a component of the infected program, hooks several file access functions, and infects EXE files that are accessed by the infected program. So the virus is active in the Windows memory up to the moment an infected application is terminated. In some cases, being run on an NTFS machine, the virus creates an additional NTFS stream (ADS) with the “:HIV” name (“filename.ext:HIV”) in infected files and writes the following “copyright” text there: This cell has been infected by HIV virus, generation: 0xNNNNNNNN The NNNNNNNN in the message is a virus “generation” number. The virus also intercepts access to MSI archives, opens them, looks for PE EXE files in there and infects them by overwriting the program entry routine with code that displays the following message when run: Win32.HiV by Benny/29A This cell has been infected by HIV virus, generation: 0xNNNNNNNN The virus also looks for *.HTML files in the current directory and replaces them with XML files by adding a .XML extension to them. The virus then hides infected XML files using a trick: it sets a registry key that causes Windows not to show extensions for XML files; changes the XML files icon; and places the standard HTML files icon there. As a result, infected HTML files (that actually are XML files after being infected) are displayed by Explorer as standard HTML files in the files list. So, an infected “File.html.xml” will be shown as “File.html” with a HTML file icon. The script program written by the virus to infected HTML files gains access to an Internet zone and opens the file there: http://coderz.net/benny/viruses/press.txt In reality, this is not a TXT file, but rather a XML file that is processed by Internet Explorer as a standard Web page (despite the fact that the file has a TXT extension). The script program, in a PRESS.TXT file, downloads a MSXMLP.EXE file from the same site, and registers it in the auto-run Registry section: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun HIV = c:MSXMLP.EXE The MSXMLP.EXE file that is found in there is a standard Windows application with a new virus version in it. So, the virus author can “upgrade” the virus on infected machines, or install a Trojan. The virus opens the WAB database (Windows Address Book), obtains e-mail addresses from there and sends messages that contain the following: From: press@microsoft.com Sent: 2010/06/06 22:00 Subject: XML presentation Message: Please check out this XML presentation and send us your opinion. If you have any questions about XML presentation, write us. Thank you, The XML developement team, Microsoft Corp. Attached file: press.txt The attached PRESS.TXT file is the same XML script program as used by the virus while infecting HTML files. So, when a user activates PRESS.TXT, a virus copy is downloaded to the computer and registered in the system registry. The virus saves that PRESS.TXT file in the C: drive root directory: C:PRESS.TXT.While sending messages, the virus uses the MAPI library, so it does not depend on the Mail system installed on the computer.The known virus version has a bug in the mailing routine, and fails to send messages. Category:29A Category:Assembly Category:Microsoft Windows Category:Win32 Category:Virus Category:Win32 virus Category:TSR Category:Encrypted virus